[arch-general] Arch Linux security is still poor....
Further to my previous email a while back I've started work on some proposals that I'd like to pitch to the Arch community and the powers that be. They aren't finished yet but should be soon. The thing is I'm not really aware of the 'chain of command' in Arch. Aaron Griffin, are you the 'benevolent dictator' and do you have the final say? The reason I'm asking is I want to know to whom I address my proposals when they are finished. For example I'll probably be proposing some admin changes, nothing too sweeping but just some things that could be done to implement better security in Arch. For the mean time I've created the IRC channel #archlinux-security on Freenode. Anyone is free to hang out there to discuss security in Arch and how we (emphasis on the we, i.e. the community) can make things better. My IRC nick is psychedelicious, I was previously using a different nick based on a Funkadelic album released in 1971. I won't be on there 24x7 but will be online as much as possible. I'd particularly like to see people on that channel interesting in volunteering to create a Security Response Team for our distro! Also I'm aware I've posted under several different email addresses. After toying with several free providers I decided to stop being a cheapskate and get my own domain so this is my canonical email address now. regards, Ananda Samaddar
Am Montag, 15. März 2010 20:54:03 schrieb Ananda Samaddar:
The reason I'm asking is I want to know to whom I address my proposals when they are finished.
Simple: File a bug report or feature request at bugs.archlinux.org. No idea what your "proposals" are about but you should make sure they only address a single concrete issue. Pierre -- Pierre Schmitz, https://users.archlinux.de/~pierre
On Mon, Mar 15, 2010 at 3:03 PM, Pierre Schmitz <pierre@archlinux.de> wrote:
Am Montag, 15. März 2010 20:54:03 schrieb Ananda Samaddar:
The reason I'm asking is I want to know to whom I address my proposals when they are finished.
Simple: File a bug report or feature request at bugs.archlinux.org. No idea what your "proposals" are about but you should make sure they only address a single concrete issue.
Agreed. Send them through the bug tracker so the relevant people can be notified
On 16/03/10 06:37, Aaron Griffin wrote:
On Mon, Mar 15, 2010 at 3:03 PM, Pierre Schmitz<pierre@archlinux.de> wrote:
Am Montag, 15. März 2010 20:54:03 schrieb Ananda Samaddar:
The reason I'm asking is I want to know to whom I address my proposals when they are finished.
Simple: File a bug report or feature request at bugs.archlinux.org. No idea what your "proposals" are about but you should make sure they only address a single concrete issue.
Agreed. Send them through the bug tracker so the relevant people can be notified
As an aside, I would like to see some numbers on where we could improve in this area. I have been following the CVE announcements and several other distros security releases for the past few months and from what I see, I believe Arch is mostly ahead of the game. Following the latest upstream releases has its advantages. Allan
On Tue, 16 Mar 2010 07:29:45 +1000 Allan McRae <allan@archlinux.org> wrote:
As an aside, I would like to see some numbers on where we could improve in this area. I have been following the CVE announcements and several other distros security releases for the past few months and from what I see, I believe Arch is mostly ahead of the game. Following the latest upstream releases has its advantages.
Allan
This may be true in the sense that by using the latest packages we are incorporating security fixes as they are released by default. I take issue with the fact that there's no dedicated team and nothing in place to deal with security alerts. The other issue being the lack of signed packages. I don't know how much of a problem this is for other Arch users. Would there be any enthusiasm for a dedicated security team? I feel strongly enough about it that if something can't be done then I'm switching to another distro. Despite the fact that I really like Arch, it's one deficiency is a pretty glaring one in my opinion. I hope this doesn't turn into a flamefest and my opinions are by no means meant to be a slight on the Arch devs or community. Ananda
On Mon, Mar 15, 2010 at 17:43, Ananda Samaddar <ananda@samaddar.co.uk> wrote:
Would there be any enthusiasm for a dedicated security team?
This has been proposed multiple times, but oddly enough no one who has proposed it has ever taken any steps to make it happen...
On Mon, Mar 15, 2010 at 2:43 PM, Ananda Samaddar <ananda@samaddar.co.uk> wrote:
Would there be any enthusiasm for a dedicated security team? I feel strongly enough about it that if something can't be done then I'm switching to another distro. Despite the fact that I really like Arch, it's one deficiency is a pretty glaring one in my opinion. I hope this doesn't turn into a flamefest and my opinions are by no means meant to be a slight on the Arch devs or community.
No offence taken and FWIW a lot of people switch distros because of one or two fundamental needs that aren't meant. This wouldn't be any different. Look forward to hearing what you have to say...
On Mon, Mar 15, 2010 at 2:56 PM, Thayer Williams <thayerw@gmail.com> wrote:
On Mon, Mar 15, 2010 at 2:43 PM, Ananda Samaddar <ananda@samaddar.co.uk> wrote:
Would there be any enthusiasm for a dedicated security team? I feel strongly enough about it that if something can't be done then I'm switching to another distro. Despite the fact that I really like Arch, it's one deficiency is a pretty glaring one in my opinion. I hope this doesn't turn into a flamefest and my opinions are by no means meant to be a slight on the Arch devs or community.
No offence taken and FWIW a lot of people switch distros because of one or two fundamental needs that aren't meant. This wouldn't be any different.
...because of one or two fundamental needs that aren't MET; not meant. Carry on =)
On Mon, 15 Mar 2010 14:56:32 -0700 Thayer Williams <thayerw@gmail.com> wrote:
No offence taken and FWIW a lot of people switch distros because of one or two fundamental needs that aren't meant. This wouldn't be any different.
Look forward to hearing what you have to say...
I'd like to help get things moving before I give up on Arch. It's too good a distro not to. I've been having a look at the Gentoo security policy here: http://www.gentoo.org/security/en/vulnerability-policy.xml It looks like a pretty good template we could adapt to our needs. The document in that link is licensed under a Creative Commons attribution licence. It mirrors a lot of the things I was going to suggest too. Ananda
On 15/03/10 22:03, Ananda Samaddar wrote:
On Mon, 15 Mar 2010 14:56:32 -0700 Thayer Williams <thayerw@gmail.com> wrote:
No offence taken and FWIW a lot of people switch distros because of one or two fundamental needs that aren't meant. This wouldn't be any different.
Look forward to hearing what you have to say...
I'd like to help get things moving before I give up on Arch. It's too good a distro not to.
I've been having a look at the Gentoo security policy here:
http://www.gentoo.org/security/en/vulnerability-policy.xml
It looks like a pretty good template we could adapt to our needs. The document in that link is licensed under a Creative Commons attribution licence. It mirrors a lot of the things I was going to suggest too.
After a quick look at it I don't see much that would apply though. Arch doesn't have releases. Arch follows upstream releases very closes (in some cases even too closely ;-) So, if there is no need for backporting to a set of packages that has been blessed into a supported release, what is left to do for a dedicated security team? /M -- Magnus Therning (OpenPGP: 0xAB4DFBA4) magnus@therning.org Jabber: magnus@therning.org http://therning.org/magnus identi.ca|twitter: magthe
On Mon, Mar 15, 2010 at 11:18 PM, Magnus Therning <magnus@therning.org> wrote:
After a quick look at it I don't see much that would apply though. Arch doesn't have releases. Arch follows upstream releases very closes (in some cases even too closely ;-)
So, if there is no need for backporting to a set of packages that has been blessed into a supported release, what is left to do for a dedicated security team?
1) what allan said : A group could monitor security issues and file bugs to get the devs to fix them. 2) resume and finish the gpg work for pacman & friends
On 15/03/10 22:34, Xavier Chantry wrote:
On Mon, Mar 15, 2010 at 11:18 PM, Magnus Therning <magnus@therning.org> wrote:
After a quick look at it I don't see much that would apply though. Arch doesn't have releases. Arch follows upstream releases very closes (in some cases even too closely ;-)
So, if there is no need for backporting to a set of packages that has been blessed into a supported release, what is left to do for a dedicated security team?
1) what allan said : A group could monitor security issues and file bugs to get the devs to fix them.
Is there any evidence that this is actually needed? My impression is that maintainers already are monitoring upstream releases. When they are lagging, there are users who mark things out-of-date. The occasional non-maintainer upload doesn't seem to warrant a dedicated team.
2) resume and finish the gpg work for pacman & friends
Sure, that is worth doing. Is it really a task for a dedicated security team? It sounds more like a one-time thing for a group of developers. Please do note that I'm more than willing to be convinced. /M -- Magnus Therning (OpenPGP: 0xAB4DFBA4) magnus@therning.org Jabber: magnus@therning.org http://therning.org/magnus identi.ca|twitter: magthe
On 16/03/10 08:42, Magnus Therning wrote:
On 15/03/10 22:34, Xavier Chantry wrote:
On Mon, Mar 15, 2010 at 11:18 PM, Magnus Therning<magnus@therning.org> wrote:
After a quick look at it I don't see much that would apply though. Arch doesn't have releases. Arch follows upstream releases very closes (in some cases even too closely ;-)
So, if there is no need for backporting to a set of packages that has been blessed into a supported release, what is left to do for a dedicated security team?
1) what allan said : A group could monitor security issues and file bugs to get the devs to fix them.
Is there any evidence that this is actually needed?
My impression is that maintainers already are monitoring upstream releases. When they are lagging, there are users who mark things out-of-date. The occasional non-maintainer upload doesn't seem to warrant a dedicated team.
A bump for something being out of date is quite different from a bump for something being out of date and has a security issues. I also know that there are cases where the security issue fixes are not considered critical by upstream and so they are only patched in CVS/SVN/whatever. These are obviously cases where the expliot is not practical at this time, so there is no rush to fix but we probably still should. But again, I would like to see numbers for how much this is actually an issue. Saying that, if the number is above zero (likely), a security team could do some good. Allan
On Mon, Mar 15, 2010 at 11:42 PM, Magnus Therning <magnus@therning.org> wrote:
1) what allan said : A group could monitor security issues and file bugs to get the devs to fix them.
Is there any evidence that this is actually needed?
No, Allan asked for some numbers, and I am curious too.
My impression is that maintainers already are monitoring upstream releases. When they are lagging, there are users who mark things out-of-date. The occasional non-maintainer upload doesn't seem to warrant a dedicated team.
2) resume and finish the gpg work for pacman & friends
Sure, that is worth doing. Is it really a task for a dedicated security team? It sounds more like a one-time thing for a group of developers.
This is also true.. more or less. It does not matter how the people doing the work are called. There is no one writing code, no one giving technical advices, no one testing. There are only users asking for signed packages.
On 15/03/10 23:03, Xavier Chantry wrote:
On Mon, Mar 15, 2010 at 11:42 PM, Magnus Therning <magnus@therning.org> wrote: [..]
2) resume and finish the gpg work for pacman & friends
Sure, that is worth doing. Is it really a task for a dedicated security team? It sounds more like a one-time thing for a group of developers.
This is also true.. more or less. It does not matter how the people doing the work are called. There is no one writing code, no one giving technical advices, no one testing. There are only users asking for signed packages.
I'd argue it *is* important what you call them. In one case one would ask for some developer(s) to dedicate some time during a limited period, while in the other one is asking for on-going commitment. I think it's *crucial* to position the proposal correctly. Getting a feature implemented in pacman is likely to be easier than getting a group of people to sign up for a task that never ends. Though I'm not saying either will be easy. /M -- Magnus Therning (OpenPGP: 0xAB4DFBA4) magnus@therning.org Jabber: magnus@therning.org http://therning.org/magnus identi.ca|twitter: magthe
I don't think we need any security team for Arch. New packages are released within a week of their updates. GPG signing and md5sum verification is a must though. -- Nilesh Govindarajan Site & Server Administrator www.itech7.com
I would have thought that this only makes sense in the context of a "point-in-time release". i.e. you have a server which isn't updated as regularly as your desktop. The onus then is on the user to ensure that the versions of packages they are using are "safe". I don't see this as a problem with the rolling release system that Arch uses. Where it does make sense is if a publicly available, LTS type "server" repository is used. Then it would be up to the maintainer of the repo to keep on top of security fixes. regards Chris -- Calling the unnamed register the unnamed register really does nothing but negate the name the unnamed register and render the unnamed register useless as a name, thus the unnamed register is named the unnamed register and is no longer the unnamed register as it is named the unnamed register, so where is the unnamed register to be found and what do we call it! Steve Oualline, The book of vim.
On 03/16/2010 06:53 PM, Chris Allison wrote:
I would have thought that this only makes sense in the context of a "point-in-time release". i.e. you have a server which isn't updated as regularly as your desktop. The onus then is on the user to ensure that the versions of packages they are using are "safe".
I don't see this as a problem with the rolling release system that Arch uses.
Where it does make sense is if a publicly available, LTS type "server" repository is used. Then it would be up to the maintainer of the repo to keep on top of security fixes.
regards
Chris
Actually speaking, Arch is ideal for a server. With proper customization abilities and up-to-date software, your server is less likely to get compromised (unless improperly configured) in contrary to those of CentOS, RHEL < (yeah it is less than) Fedora, Ubuntu, etc. which keep very old packages. -- Nilesh Govindarajan Site & Server Adminstrator www.itech7.com
On Tue, Mar 16, 2010 at 12:32 AM, Nilesh Govindarajan <lists@itech7.com> wrote:
I don't think we need any security team for Arch. New packages are released within a week of their updates. GPG signing and md5sum verification is a must though.
md5sum verification has ALWAYS been done
On Tue, Mar 16, 2010 at 8:49 AM, Aaron Griffin <aaronmgriffin@gmail.com> wrote:
On Tue, Mar 16, 2010 at 12:32 AM, Nilesh Govindarajan <lists@itech7.com> wrote:
I don't think we need any security team for Arch. New packages are released within a week of their updates. GPG signing and md5sum verification is a must though.
md5sum verification has ALWAYS been done
In a security context, verification of files installed by a package _after installation_ would be nice. i.e. "pacman --verify /usr/sbin/sshd" would tell me if the md5sum (or sha1sum, etc) of my /usr/sbin/sshd matches that of the official package. Jared
On Tue, Mar 16, 2010 at 10:48 PM, Jared Casper <jaredcasper@gmail.com> wrote:
On Tue, Mar 16, 2010 at 8:49 AM, Aaron Griffin <aaronmgriffin@gmail.com> wrote:
On Tue, Mar 16, 2010 at 12:32 AM, Nilesh Govindarajan <lists@itech7.com> wrote:
I don't think we need any security team for Arch. New packages are released within a week of their updates. GPG signing and md5sum verification is a must though.
md5sum verification has ALWAYS been done
In a security context, verification of files installed by a package _after installation_ would be nice. i.e. "pacman --verify /usr/sbin/sshd" would tell me if the md5sum (or sha1sum, etc) of my /usr/sbin/sshd matches that of the official package.
Jared
Let this thread not be just another "Will be nice" one. Pacman devs, please start implementing these package verification things. -- Nilesh Govindarajan Site & Server Administrator www.itech7.com
On Tue, Mar 16, 2010 at 1:24 PM, Nilesh Govindarajan <lists@itech7.com> wrote:
On Tue, Mar 16, 2010 at 10:48 PM, Jared Casper <jaredcasper@gmail.com> wrote:
On Tue, Mar 16, 2010 at 8:49 AM, Aaron Griffin <aaronmgriffin@gmail.com> wrote:
On Tue, Mar 16, 2010 at 12:32 AM, Nilesh Govindarajan <lists@itech7.com> wrote:
I don't think we need any security team for Arch. New packages are released within a week of their updates. GPG signing and md5sum verification is a must though.
md5sum verification has ALWAYS been done
In a security context, verification of files installed by a package _after installation_ would be nice. i.e. "pacman --verify /usr/sbin/sshd" would tell me if the md5sum (or sha1sum, etc) of my /usr/sbin/sshd matches that of the official package.
Jared
Let this thread not be just another "Will be nice" one. Pacman devs, please start implementing these package verification things.
Users who want these things, please start joining the pacman dev team.
On Tue, Mar 16, 2010 at 13:24, Nilesh Govindarajan <lists@itech7.com> wrote:
Let this thread not be just another "Will be nice" one. Pacman devs, please start implementing these package verification things. And you're paying them how much that allows you to tell them what to work on? Seriously, patches welcome.
On Tue, Mar 16, 2010 at 12:34 PM, Daenyth Blank <daenyth+arch@gmail.com> wrote:
On Tue, Mar 16, 2010 at 13:24, Nilesh Govindarajan <lists@itech7.com> wrote:
Let this thread not be just another "Will be nice" one. Pacman devs, please start implementing these package verification things. And you're paying them how much that allows you to tell them what to work on? Seriously, patches welcome.
Also... don't assume they read the mailing list. Post the feature request on the bug tracker. This is apparently the hardest concept for all these types of threads. Someone - go post it now and paste the link in this thread
Am Dienstag, 16. März 2010 18:24:46 schrieb Nilesh Govindarajan:
Let this thread not be just another "Will be nice" one. Pacman devs, please start implementing these package verification things.
You got it wrong. Nothing will change until you start working on this. I have seen those discussions during the last 6 years and none of them ever lead into a working implementation. -- Pierre Schmitz, https://users.archlinux.de/~pierre
On 03/16/2010 07:24 PM, Nilesh Govindarajan wrote:
On Tue, Mar 16, 2010 at 10:48 PM, Jared Casper<jaredcasper@gmail.com> wrote:
On Tue, Mar 16, 2010 at 8:49 AM, Aaron Griffin<aaronmgriffin@gmail.com> wrote:
On Tue, Mar 16, 2010 at 12:32 AM, Nilesh Govindarajan<lists@itech7.com> wrote:
I don't think we need any security team for Arch. New packages are released within a week of their updates. GPG signing and md5sum verification is a must though.
md5sum verification has ALWAYS been done
In a security context, verification of files installed by a package _after installation_ would be nice. i.e. "pacman --verify /usr/sbin/sshd" would tell me if the md5sum (or sha1sum, etc) of my /usr/sbin/sshd matches that of the official package.
Jared
Let this thread not be just another "Will be nice" one. Pacman devs, please start implementing these package verification things.
sudo make me a sandwich. -- Ionut
On Tue, Mar 16, 2010 at 12:18 PM, Jared Casper <jaredcasper@gmail.com> wrote:
On Tue, Mar 16, 2010 at 8:49 AM, Aaron Griffin <aaronmgriffin@gmail.com> wrote:
On Tue, Mar 16, 2010 at 12:32 AM, Nilesh Govindarajan <lists@itech7.com> wrote:
I don't think we need any security team for Arch. New packages are released within a week of their updates. GPG signing and md5sum verification is a must though.
md5sum verification has ALWAYS been done
In a security context, verification of files installed by a package _after installation_ would be nice. i.e. "pacman --verify /usr/sbin/sshd" would tell me if the md5sum (or sha1sum, etc) of my /usr/sbin/sshd matches that of the official package.
Is this a feature request in the bug tracker? Please add it if you want this functionality. That's the only way it will ever happen
On Tue, Mar 16, 2010 at 10:30 AM, Aaron Griffin <aaronmgriffin@gmail.com> wrote:
Is this a feature request in the bug tracker? Please add it if you want this functionality. That's the only way it will ever happen
It's been there for years: http://bugs.archlinux.org/task/11091 I just wanted to point out that the "md5sum verification" spoken of generally means something different in a security context than what is already being done. Jared
On 16/03/10 07:43, Ananda Samaddar wrote:
On Tue, 16 Mar 2010 07:29:45 +1000 Allan McRae<allan@archlinux.org> wrote:
As an aside, I would like to see some numbers on where we could improve in this area. I have been following the CVE announcements and several other distros security releases for the past few months and from what I see, I believe Arch is mostly ahead of the game. Following the latest upstream releases has its advantages.
Allan
This may be true in the sense that by using the latest packages we are incorporating security fixes as they are released by default. I take issue with the fact that there's no dedicated team and nothing in place to deal with security alerts.
There is no dedicated team, but as I said, we appear to be mostly ahead of the game in this respect. I would be interested to see how many packages suffer from security issues that we miss.
The other issue being the lack of signed packages.
Providing code is the way to fix this. There is a good start that has been made and it mostly needs someone dedicated to finish it off.
I don't know how much of a problem this is for other Arch users.
Would there be any enthusiasm for a dedicated security team? I feel strongly enough about it that if something can't be done then I'm switching to another distro. Despite the fact that I really like Arch, it's one deficiency is a pretty glaring one in my opinion. I hope this doesn't turn into a flamefest and my opinions are by no means meant to be a slight on the Arch devs or community.
Sure there is enthusiasm for such a venture, at least judging by how many times this has been bought up in the past. I think one or two of those times an actual project started up but then died. So it appears enthusiasm yes, continual motivation no (at least up until now...). And, this is a great candidate for a community project. A group could monitor security issues and file bugs to get the devs to fix them. This is the way all Arch projects start and if they are useful, they may get taken on board and made official. Allan
On 15/03/10 21:43, Ananda Samaddar wrote: [..]
Would there be any enthusiasm for a dedicated security team? I feel strongly enough about it that if something can't be done then I'm switching to another distro. Despite the fact that I really like Arch, it's one deficiency is a pretty glaring one in my opinion. I hope this doesn't turn into a flamefest and my opinions are by no means meant to be a slight on the Arch devs or community.
What would a dedicated security team actually do? /M -- Magnus Therning (OpenPGP: 0xAB4DFBA4) magnus@therning.org Jabber: magnus@therning.org http://therning.org/magnus identi.ca|twitter: magthe
On Mon, Mar 15, 2010 at 5:43 PM, Ananda Samaddar <ananda@samaddar.co.uk>
Would there be any enthusiasm for a dedicated security team? I feel strongly enough about it that if something can't be done then I'm switching to another distro. Despite the fact that I really like Arch, it's one deficiency is a pretty glaring one in my opinion. I hope this doesn't turn into a flamefest and my opinions are by no means meant to be a slight on the Arch devs or community.
I'm going to chime in and repeat what some of the others have said - I too would like to see some evidence that Arch as a distro has security issues other that those that should be fixed upstream. Since Arch always has the latest versions of software, it should automatically have all the latest security fixes - there's no need to backport patches to old versions of software, like Debian does. Security issues arising from poor default config files should be and are addressed by individual package maintainers. Again, I'm not aware of any cases where a maintainer's poor job resulted in a security issue - probably because each package is a vanilla package and doesn't contain any customized configs (again, Debian comes to mind). Best, Denis.
I would love to jump into pacman-dev team. But I don't know C or C++ whatever pacman is written in. :( :( :( I can contribute in PHP. -- Nilesh Govindarajan Site & Server Administrator www.itech7.com
On Tue, Mar 16, 2010 at 10:39 PM, Nilesh Govindarajan <lists@itech7.com> wrote:
I would love to jump into pacman-dev team. But I don't know C or C++ whatever pacman is written in. :( :( :( I can contribute in PHP.
You might then want to look into helping out the devs of the AUR webapp, if you care about it. They have an aur-dev mailing list, and their code is at http://projects.archlinux.org/aur.git/ . (But I think this is off-topic to this thread.)
On Wednesday 17 Mar 2010 8:09:47 am Nilesh Govindarajan wrote:
I would love to jump into pacman-dev team. But I don't know C or C++ whatever pacman is written in. :( :( :( I can contribute in PHP. Hi, Please help in AUR, there is lot of work needed to be done. http://bugs.archlinux.org/index.php?project=2 -- Regards, Gaurish Sharma www.gaurishsharma.com
On 03/21/2010 08:47 PM, Gaurish Sharma wrote:
On Wednesday 17 Mar 2010 8:09:47 am Nilesh Govindarajan wrote:
I would love to jump into pacman-dev team. But I don't know C or C++ whatever pacman is written in. :( :( :( I can contribute in PHP. Hi, Please help in AUR, there is lot of work needed to be done. http://bugs.archlinux.org/index.php?project=2
Yeah, I'll look into it after my exams (25 March 2010). -- Nilesh Govindarajan Site & Server Administrator www.itech7.com
On Tuesday 16 Mar 2010 2:59:45 am Allan McRae wrote:
As an aside, I would like to see some numbers on where we could improve in this area. I have been following the CVE announcements and several other distros security releases for the past few months and from what I see, I believe Arch is mostly ahead of the game. Following the latest upstream releases has its advantages.
Allan
Hi Allan, The major thing we are missing on is: Package signing It there is a need to catch up with other distros on this. Package signing is extremely important to ensure that nobody can tamper the packages. similarly should be way to package's integrity -- Regards, Gaurish Sharma www.gaurishsharma.com
participants (15)
-
Aaron Griffin
-
Allan McRae
-
Ananda Samaddar
-
Chris Allison
-
Daenyth Blank
-
Denis Kobozev
-
Gaurish Sharma
-
Ionut Biru
-
Jared Casper
-
Magnus Therning
-
Nilesh Govindarajan
-
Pierre Schmitz
-
Ray Kohler
-
Thayer Williams
-
Xavier Chantry